New research explores third-party risks

Study Identifies Role of Internal Audit Activity


ALTAMONTE SPRINGS, Fla./CHICAGO – Data from a recent study published by The Institute of Internal Auditors (IIA) Research Foundation and Crowe Horwath LLP suggests there are opportunities for organizations to improve their management of third-party risks. The new research report, which is largely based on a survey of 164 chief audit executives (CAEs), found that more than three-quarters (78 percent) of the respondents said they had either “some concern” or “high concern” about difficulties with monitoring third parties’ risk management practices.

The study—“Closing the Gaps in Third-Party Risk Management”—was undertaken to address the inherent risks presented by the growing business trend to outsource. To a great extent, this trend is a result of today’s global business environment—coupled with fast-paced changes in technology, increased customer expectations, and new and stricter regulations.

A hefty 90 percent of study participants reported using third-party technology vendors. More than 65 percent described their organizations’ reliance on third parties as either “significant” or “extensive.”

“The research results regarding the propensity to outsource were not surprising,” says Rick Warren, the study’s author who is a principal in Crowe Risk Consulting and leads third-party risk services for Crowe. “It is important to note, however, that there is a lack of consensus on ownership of third-party risk,” he says. Having spent most of his career advising corporate clients on risk management, governance and internal control matters, Warren views risk ownership as inherent in good risk management.

“Internal auditors are right to be concerned about third-party risks,” says IIA President and CEO Richard Chambers, “because, after all, these exposures closely mirror many of the risks that threaten all aspects of today’s organizations.”

Study participants expressed concern over various third-party risk exposures such as supply disruptions, anti-corruption regulations and investigations, data breaches and remediation costs, and reputation damages. The data suggests that, given the requisite skills, the internal audit activity could add significant value to third-party risk management. The internal auditors could provide an objective perspective on such areas as the risks that third-party relationships bring to the organization, whether third parties comply with regulations and policies, the relative maturity of the third-party risk management program, and process improvements for third-party interactions.

Four out of five organizations (82 percent) devote less than 20 percent of their internal audit resources to assessing third-party risks. A small percentage said their organizations devote a significant portion of their internal audit resources to auditing third-party relationships. In fact, the research shows that the allocation of internal audit effort to third-party risk issues for organizations reporting “significant reliance” on third parties was almost the same as that of those that said their use of third parties was “moderate” or below.

Chambers views third-party risk and control assessment as a logical function of modern-day internal audit activities. “With the prevalence of outsourcing in today’s business arena, the involvement of the internal auditors in assessing third-party risk is not only legitimate, but essential,” he says. “The challenge, though, is ensuring they have the requisite resources and executive-level support to fill this need.”


About The Institute of Internal Auditors Research Foundation
The IIA is an international professional association with more than 180,000 members in 190 countries, and is the internal audit profession's global voice, recognized authority, and principal educator.  The IIA Research Foundation is a 501(c)(3) tax-exempt (in the United States) corporation formed to provide and expand research and education for the benefit of internal auditors, the business and government communities, and the general public. For more than 35 years, The IIARF has been the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal audit profession.

About Crowe Horwath
Crowe Horwath LLP ( is one of the largest public accounting and consulting firms in the United States. Under its core purpose of “Building Value with Values®,” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world, consisting of more than 150 independent accounting and advisory services firms in more than 100 countries around the world.

Contact us

Amanda Reich
Amanda Reich